Mobile

Why mobile apps need to have privacy policies

Mobile application creators need to ensure that customers know exactly how their user data is collected and stored. So far, it’s not an industry standard.

Often, when someone downloads a free app, she is giving up her data in exchange for that service. For example, she might download an app that requires her to link her Twitter account (or her Facebook) to use the app. In a typical financial transaction — say, $3 for a dozen eggs — you know how much you’re giving up. With these types of apps, though, the user enters an implicit agreement with the app and its brand. Usually that agreement is blind, with no notice of what exactly the app will collect and store or explanation of what will happen to that data.

Previously, mobile apps used unique device identifiers to identify mobile users and keep track of the data they generated. However, Apple recently announced the deprecation of UDIDs, possibly out of privacy concerns. UDIDs could be associated with other, personally identifiable information to create a mobile fingerprint that users might not have realized they left, or even had.

OpenFeint is a cautionary tale in the privacy-on-mobile discussion. (My company, Socialize, is a competitor of OpenFeint.) A mobile gaming network similar to GameCenter, OpenFeint landed in hot water because it did not clearly explain to its users (the mobile gamers) how it would collect and share their user data. The company now faces a class action lawsuit that alleges it linked users’ UDIDs to Facebook and Twitter profiles, as well as GPS coordinates, thus revealing identifying information such as gender, age, education level, geographic location and household income to app developers and potential third parties. OpenFeint’s users didn’t realize they were exposing all this data about themselves, that the data would be tied to their UDIDs, and to what extent OpenFeint and its enabled apps could track their activity.

At the very basic level, it’s necessary to store certain types of data for an app to run properly. Frankly, though, it’s not uncommon for apps and mobile brands to collect data to the extent that OpenFeint did. In light of the deprecated UDID, OpenFeint recently announced a single sign-on process to take the place of identifying users by UDIDs. The new identification process will limit the scope of user data that OpenFeint apps can collect, but it doesn’t eliminate privacy concerns entirely.

The fact of the matter is that most end users are ignorant of how much they expose about themselves when they authorize through Facebook or Twitter or any other sign-on process—and that this information would be shared to entities outside just the app developer. OpenFeint’s misstep was not collecting and sharing user data. Rather, OpenFeint made this practice seem covert and dishonest by neglecting to disclose their data handling. You want your app to build brand reputation, not harm it.

In order to establish best practices in the mobile industry, apps need to disclose. Their users are left in the dark as to how these brands collect, store and handle user data. Most users don’t even realize that there is data they share with the brands…and sometimes third-party advertisers too. And these users? According to a recent Nielsen poll, 59 percent of women and 52 percent of men say that they have privacy concerns related to their mobile apps.

Currently, it is not common practice to include a privacy policy when a user first launches or downloads a mobile app—but it should be. Apple-issued apps like iTunes, the App Store and Game Center require users to accept some sort of agreement whenever it is updated, but that’s Apple. Apple is a large corporation that understands the importance of CYA and so has had terms of service agreements (TOSes) and end user license agreements (EULAs) and privacy policies ingrained in their products for years. Look at iTunes: it already enjoyed a hardy userbase before it leaped to the smartphone, and those users were familiar with seeing (and agreeing to) a legal caveat emptor so they could download the latest iPod commercial ditty. Other mobile apps? Nary a policy in sight.

Think about the children. No, really, apps need to be especially careful with users under 13 years of age. The Children’s Online Privacy Protection Act (COPPA), which extends to mobile devices, provides special stipulations for dealing with children and their data. App creators must obtain parental consent to obtain personal information from children, and failure to do so can prove costly for children’s mobile games and even apps not necessarily geared toward children. In the last month, one developer settled with the Federal Trade Commission to the tune of $50,000 after charges of COPPA violations. That sort of oversight isn’t cheap.

Here’s the bottom line: An app needs clearly defined and easily accessible (from the app itself) privacy policy. What kind of data is stored? How is it collected? Is it encrypted? And above all, is it shared with any third parties? End users deserve to know how their data is handled, and in turn, the process of creating a privacy policy will allow app creators to anticipate user concerns and to protect themselves against legal issues. Ultimately, it will benefit app creators and their brands if they are upfront and honest with their end users.

Isaac Mosquera is the CTO and co-founder of Socialize, Inc., he spearheaded the creation of AppMakr.com, and he is the co-creator of FamilyOven.com, a recipe-oriented social networking site.

[Image via Slavoljub Pantelic/Shutterstock]


Mobile developer or publisher? VentureBeat is studying mobile marketing automation. Fill out our 5-minute survey, and we'll share the data with you.
1 comments